In March 2016, the FCC hit Verizon with a $1.35 million fine for tracking customers with a unique identifier header (UIDH), also known as a “supercookie.” It was big news when the FCC forced Verizon to allow customers to opt-out of the tracking. But what is a supercookie? Why is a supercookie worse than a regular cookie?

Here’s what you need to know about supercookies—and how to remove them.

What Is a Cookie?

To understand supercookies, you need to understand what regular cookies are. An HTTP cookie, usually just known as a cookie, is a small piece of code that’s downloaded to a user’s browser when they visit a website. The cookie stores small pieces of information useful to the website, the user, and interactions between the two.

For example, when you put items in your Amazon shopping cart, those items store in a cookie. If you leave Amazon, when you return, your items remain in your cart. The cookie sends that information back to Amazon when you return to the site.

Regular cookies serve other functions too, like telling a website you are already logged in, so you don’t have to log in again when you return. More controversially, third-party tracking cookies follow you around the internet, reporting back to marketing and other companies about what you’re up to online.

What Is a Supercookie?

A supercookie is a tracking cookie but has a more sinister use. Supercookies also have different functionality to a regular cookie, too.

With a regular cookie, if you don’t want it to follow you around the internet, you can clear your browsing data, your cookies, and more. You can block cookies and third-party cookies from your browser, and auto-delete cookies after your browser session ends. You have to log into each site again, and your shopping cart items won’t store, but it also means tracking cookies are tracking you anymore.

A supercookie is different. Clearing your browsing data doesn’t help. This is because a supercookie isn’t really a cookie; it is not stored in your browser.

Instead, an ISP inserts a piece of information unique to a user’s connection into the HTTP header. The information uniquely identifies any device. In the case of Verizon, it allowed the tracking of every website visited.

Because the ISP injects the supercookie between the device and the server it is connecting too, there’s nothing the user can do about it. You cannot delete it, because it isn’t stored on your device. Ad and script blocking software cannot stop it, because it happens after the request leaves the device.

The Dangers of Supercookies

The potential for privacy violation here should be obvious — in most cases, cookies are tied to a single website, and can’t be shared with another site. The UIDH can be revealed to any website and contains a potentially vast amount of information on a user’s habits and history. Verizon was advertising this capability to its partners, too. It is highly likely this specific use of a supercookie intended to capture a lot of data to sell it.

The Electronic Frontier Foundation (EFF) also notes that a supercookie can be used by advertisers to essentially resurrect deleted cookies from a user’s device and link them to new ones, circumventing the strategies that users might take to prevent tracking:

[S]uppose an ad network assigned you a cookie with the unique value “cookie1,” and Verizon assigned you the X-UIDH header “old_uid.” When Verizon changes your X-UIDH header to a new value, say “new_uid,” the ad network can connect “new_uid” and “old_uid” to the same cookie value “cookie1” and see that they all three values represent the same person. Similarly, if you subsequently clear cookies, the ad network will assign a new cookie value “cookie2.” Since your X-UIDH value is the same (say, “new_uid”) before and after clearing cookies, the ad network can connect “cookie1” and “cookie2” to the same X-UIDH value “new_uid.” The back-and-forth bootstrapping of identity makes it impossible to truly clear your tracking history while the X-UIDH header is enabled.

In the same blog post, the EFF also notes that a UIDH can also apply to data sent from apps, which isn’t as easy to track otherwise. The combination allows the creation of a fine-grain picture of a user’s internet usage. Verizon also bypasses the “Limit ad tracking” settings on iOS and Android. Skirting this limit compounds the potential privacy violations that supercookies perpetrate.

What Data Does a Supercookie Send?

A supercookie includes information on the request made by a user, like the website that they’re trying to visit and the time that the request was made. This is known as metadata (and is very similar to the metadata collected by the NSA from cell phone records). But supercookies can include other types of data as well.

Regardless of the exact type of data, if Verizon were to suffer a data breach and these cookies were tied to specific users, it would become a privacy nightmare. The EFF already found that hashed phone numbers were in use as user identifiers, which is a worrying sign. Hackers, other companies, or government organizations would love to get their hands on this type of information.

The fact that Verizon was one of the companies taking part in the NSA’s PRISM program only makes this more worrying.

A zombie cookie remains intact as it hides outside of your browser’s regular cookie storage. Zombie cookies target local storage, HTML5 storage, RGB color code values, Silverlight storage, and more. That’s why they’re known as zombie cookies. An advertiser must only find an existing cookie in one of those locations to resurrect the rest. If a user fails to delete a single zombie cookie from any of the storage locations, they’re back to square one.

How to Remove a Supercookie

Supercookies store a lot of information about you. Some can resurrect deleted normal cookies, and some aren’t stored on your device. What on earth can you do about them, then?

Unfortunately, the answer for some supercookie types is “not very much.”

Verizon allows subscribers to opt-out of UIDH tracking. If you are a Verizon user, head to www.vzw.com/myprivacy, log into your account, and go to the Relevant Mobile Advertising section. Select “No, I don’t want to participate in Relevant Mobile Advertising.” Please note that opting out doesn’t actually disable the header. It only tells Verizon not to share detailed demographic information with advertisers searching for a UIDH value. Furthermore, if you participate in the Verizon Selects program, the UIDH will remain active even after opting out.

If an ISP decides to use a UIDH-level supercookie to track you, you’re basically plum out of luck. If someone is tracking you with a supercookie, your best bet is to use a VPN to create an encrypted connection between yourself and the rest of the internet. HTTPS is almost the de facto standard for internet browsing, which also protects your internet traffic from snoopers. Where possible, always use HTTPS over a basic HTTP connection.

Online Tracking Is Dangerous

UIDHs are a serious threat to internet privacy. They’re not stored on your computer, can uniquely identify your web traffic, and are extremely difficult to detect. Using HTTPS and a VPN helps, but what internet users need is strong legislation requiring ISPs to allow us to opt-out from such tracking programs, if not to stop dangerous, invasive tracking programs altogether. Lawmakers in the US state of Maine recently passed a bill preventing ISPs from selling private internet data to advertisers.

I looked at Better Privacy, but from what I understand, it gets rid of a different kind of cookie. It specifically mentions Flash cookies, which are stored on your computer. The kind of supercookie that we're talking about here isn't stored on your computer, and can't be subverted by an extension, because it's applied after the data leaves your computer.

We do block those types of ads from appearing on the site, but when an ad network slips one in, we need to have details about it in order to block it. A screenshot can help. So does knowing where it appeared on the page so we can isolate what ad network served it.

Because the same ads are not served to everyone, MakeUseOf staff may never end up seeing them so if you don't want to see it again on the site, drop a line with details and we will set about removing it from the rotation.

Notice the UIDH tracking devices were fielded among consumers before anyone in our congress expressed the slightest concern about privacy violations.

This is the same congress which pliantly grants NSA or CIA permission to download American consumer "metadata", and is even less interested in closely monitoring how they do it, or what they do with it.

Unfortunately, it doesn't seem like congress is overly concerned with this sort of thing. In fact, it wouldn't surprise me if intelligence services are currently looking for ways to use this tech to their advantage.

"what we really need is legislation that requires ISPs to allow us to opt out from these programs (and enforces these opt-outs)."
What we REALLY need is punishment severe enough to make make companies think twice about using supercookies, maybe $1 million per supercookie per user, or in case of an ISP the loss of access to the EM spectrum.

"What we really need is legislation that requires any provider "you are paying" to not track anything unless you opt-in"

If they want to give me my service for free, and I accept that then feel free to do what you will, If I am paying for a service they should not be doing anything.

We need legislation that puts the control back into the population's hands.
It should not be assumed it is ok!!
By default it should be not ok unless explicit permission is given, and not in some huge ULA that no one reads.

The requirement for opt-in would be fantastic, and would probably help a whole lot when it comes to privacy. With the amount of legislative power that ISPs have, though, I can't see this becoming a reality. I sincerely hope that we come up with something that helps get rid of supercookies, but I'm not super confident at the moment.

You know, I'm not totally sure. I'm sure other companies are using it as well, but I haven't seen a list anywhere. I'll keep an eye out for one and post a link if I see anything, but I'm not sure how many companies are going to want to reveal their use of this tech, considering that Verizon's been slapped with a fine now.

The thing about supercookies is that they DON'T lurk on your computer. That's what makes them so insidious. It's information that inserted into the data you send over a network, so it's never actually stored. Which means you can't get rid of them. Doesn't seem fair, does it?

Gavin is a Senior Writer for MUO, and an Editor for Blocks Decoded. He has a BA (Hons) Contemporary Writing with Digital Art Practices pillaged from the hills of Devon, as well as a decade of professional writing experience. He enjoys copious amounts of tea.